{"id":2943228,"date":"2025-10-14T15:18:44","date_gmt":"2025-10-14T22:18:44","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=2943228"},"modified":"2025-10-28T10:18:27","modified_gmt":"2025-10-28T17:18:27","slug":"understanding-arcgis-server-soe-compromise","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise","title":{"rendered":"Understanding ArcGIS Server SOE Compromise"},"author":3911,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,24071],"industry":[],"product":[36571,763582],"class_list":["post-2943228","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-security","product-arcgis-enterprise","product-trust-arcgis"],"acf":{"short_description":"Overview of SOE compromise and how to ensure customer operations are not affected.","flexible_content":[{"acf_fc_layout":"content","content":"<p>On 10\/14\/25, Reliaquest (a security vendor) <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-inside-flax-typhoons-arcgis-compromise\">published a summary<\/a> about how an ArcGIS Server extension was made by a malicious actor to facilitate on-going persistence after initial compromise via other mechanisms.<\/p>\n<p><strong><em>This issue does NOT affect ArcGIS customers by default, has been confirmed as an issue by only one customer, and requires multiple configuration steps not in alignment with best practices<\/em><\/strong>.<\/p>\n<p>Esri\u2019s incident response team worked with both the customer and the security organization to facilitate investigation efforts.\u00a0 While the initial write-up by Reliaquest mistakenly referred to internal Esri documentation updates being required, they subsequently updated it to suggest customers refer to our existing security best practices documentation, specifically, we recommend the <a href=\"https:\/\/downloads.esri.com\/RESOURCES\/ENTERPRISEGIS\/ArcGIS_Enterprise_Hardening_Guide.pdf\">ArcGIS Enterprise Hardening Guide<\/a> which is updated on a regular basis.<\/p>\n<p><strong>What are the circumstances necessary for this to occur?<\/strong><\/p>\n<ol>\n<li>The ArcGIS Server Manager interface was exposed for general Internet access \u2013 Customers should limit access to management interfaces by Internet users. As mentioned in our best practices, don\u2019t expose management interfaces to the Internet.<\/li>\n<li>Multi-factor authentication (MFA) was not used \u2013 Exposing management interfaces and not utilizing MFA for user accounts should never be utilized as clarified in best practice documentation.<\/li>\n<li>While logs were not available back to initial time of compromise, the above issues likely resulted in the malicious user\u2019s ability to administrate the ArcGIS Enterprise system and deploy a custom Server Object Extension (SOE).\u00a0 The SOE was NOT the initial source of compromise, but was instead utilized as the gateway for passing information and maintaining persistence in the system.\u00a0 Customers should regularly validate the security posture of their deployment as described in the best practices documentation \u2013 This includes ensuring there are no unexpected extensions\/plugins installed.<\/li>\n<li>Last, but not least, the permissions of the ArcGIS Server service account were elevated to full administer\/root which was implemented by the customer as part of troubleshooting an issue, and the permissions were NOT returned to the defaults\/best practices. The SOE would have failed if the excessive permissions were not put in place.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><strong><em>Bottomline, this case demonstrates that when a deployment implements numerous layers counter to best practices, a deployment may be compromised.\u00a0 <\/em><\/strong><\/p>\n<p>The SOE specifically being used for passing traffic and as a persistence mechanism is novel, but implementing security best practices would have prevented this issue.\u00a0\u00a0 If some of the circumstances above seem familiar for your operations, you should immediately work on implementing the guidance within the ArcGIS Enterprise Hardening Guide.\u00a0 Bonus item, we also strongly recommend ensuring you have a Web Application Firewall (WAF) to further mitigate such risks and provide stronger awareness of attacks, which was also a basic component missing from the customer\u2019s deployment.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Q&amp;A<\/strong><\/p>\n<ol>\n<li><strong>What product(s) were affected?<br \/>\n<\/strong><\/p>\n<ul>\n<li>Only ArcGIS Server (not ArcGIS Online)<\/li>\n<\/ul>\n<\/li>\n<li><strong>How do I block ArcGIS Server Management interfaces from the Internet?<\/strong>\n<ul>\n<li>Various options are available depending on your product version, however the most straightforward mechanism is to implement our <a href=\"https:\/\/trust.arcgis.com\/en\/customer-documents\/ArcGIS_Enterprise_Web_Application_Filter_Rules.pdf?p=0.1663153387601839\">WAF rules<\/a>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Was there evidence confirming this was a China APT via Flax Typhoon?<\/strong>\n<ul>\n<li>No &#8211; Reliaquest has not provided additional evidence this was a China-APT beyond the correlated information in the report.\u00a0 Without stronger evidence, this is speculative.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Was the ArcGIS Server Feature Services Security Patch due to this incident?<\/strong>\n<ul>\n<li>No &#8211; There were no patches released due to the issues found in this incident.\u00a0 Ensuring security best practices are in place is the solution for this incident.\u00a0 That being said, we always recommend deploying security patches within 30 days of their release or earlier.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<ul>\n<li>Esri Software Security &amp; Privacy<\/li>\n<\/ul>\n"}],"related_articles":"","show_article_image":false,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/10\/SOE.jpg","wide_image":false,"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}]},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Understanding ArcGIS Server SOE Compromise<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding ArcGIS Server SOE Compromise\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-28T17:18:27+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\"},\"author\":{\"name\":\"Michael Young\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\"},\"headline\":\"Understanding ArcGIS Server SOE Compromise\",\"datePublished\":\"2025-10-14T22:18:44+00:00\",\"dateModified\":\"2025-10-28T17:18:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\"},\"wordCount\":5,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"Security\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\",\"name\":\"Understanding ArcGIS Server SOE Compromise\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2025-10-14T22:18:44+00:00\",\"dateModified\":\"2025-10-28T17:18:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Understanding ArcGIS Server SOE Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\",\"name\":\"Michael Young\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"caption\":\"Michael Young\"},\"sameAs\":[\"http:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Understanding ArcGIS Server SOE Compromise","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise","og_locale":"en_US","og_type":"article","og_title":"Understanding ArcGIS Server SOE Compromise","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2025-10-28T17:18:27+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise"},"author":{"name":"Michael Young","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678"},"headline":"Understanding ArcGIS Server SOE Compromise","datePublished":"2025-10-14T22:18:44+00:00","dateModified":"2025-10-28T17:18:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise"},"wordCount":5,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","Security"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise","name":"Understanding ArcGIS Server SOE Compromise","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2025-10-14T22:18:44+00:00","dateModified":"2025-10-28T17:18:27+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Understanding ArcGIS Server SOE Compromise"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678","name":"Michael Young","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","caption":"Michael Young"},"sameAs":["http:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000"}]}},"text_date":"October 14, 2025","author_name":"Michael Young","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":427,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":976,"filter":"raw"},{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2943228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/3911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=2943228"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2943228\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=2943228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=2943228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=2943228"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=2943228"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=2943228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}